From 3ce6c2b85dd0cb9514b74a5908c92875e67ff92c Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Sun, 26 Jan 2025 13:38:40 -0800 Subject: [PATCH] Update security policy regarding backporting patches (#1961) * Update security policy regarding backporting patches This wording captures our policy: we commit to fixes for main and the most recent minor release, but prior to that, discussed on a case-by-case basis. Better to leave it at than than attempt to be more specific, since those specifics can be determined based on the situation. Signed-off-by: Cary Phillips * Support policy for 2.0-2.4: 2.4 was the first release by the ASWF, recent enough to negotiate patches. Prior to that our knowledge is so limited, and CMake support was so fragile, that we should not even entertain the possibility. Signed-off-by: Cary Phillips --------- Signed-off-by: Cary Phillips --- SECURITY.md | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index fcaa07698..4d16620e2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -32,9 +32,9 @@ These vulnerabilities are present in the given versions: * [CVE-2020-16589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16589) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0 * [CVE-2020-16588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16588) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0 * [CVE-2020-16587](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16587) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0 -* [CVE-2020-15306](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15306) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 -* [CVE-2020-15305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15305) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 -* [CVE-2020-15304](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15304) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 +* [CVE-2020-15306](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15306) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 +* [CVE-2020-15305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15305) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 +* [CVE-2020-15304](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15304) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1 * [CVE-2020-11765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11765) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0 * [CVE-2020-11764](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11764) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0 * [CVE-2020-11763](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11763) 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0 @@ -61,17 +61,23 @@ See the [release notes](CHANGES.md) for more information. ## Supported Versions -This gives guidance about which branches are supported with patches to +This gives guidance about which releases/branches are supported with bug fixes and patches to security vulnerabilities. | Version / branch | Supported | -| --------- | ---------------------------------------------------- | -| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. | -| 3.2.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. | -| 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. | -| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | -| 2.5.x | :warning: Only the most critical fixes, only if they can be easily backported. | -| <= 1.x | :x: No longer receiving patches of any kind. | +|-------| ---------------------------------------------------- | +| main | :white_check_mark: :construction: All fixes immediately, although this branch is under development with potential unstable ABI/API +| 3.3.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility +| 3.2.x | :warning: Patch releases considered in response to specific requests +| 3.1.x | :warning: Patch releases considered in response to specific requests +| 3.0.x | :warning: Patch releases considered in response to specific requests +| 2.5.x | :warning: Patch releases considered in response to specific requests +| 2.4.x | :warning: Patch releases considered in response to specific requests +| 2.3.x | :x: No longer receiving patches of any kind +| 2.2.x | :x: No longer receiving patches of any kind +| 2.1.x | :x: No longer receiving patches of any kind +| 2.0.x | :x: No longer receiving patches of any kind +| 1.x | :x: No longer receiving patches of any kind ## Signed Releases @@ -115,7 +121,7 @@ To verify a downloaded release at a given tag: - The library compresses/decompresses data via standard compression algorithms but uses no cryptographic or confidentiality protocols. - + ### Software Dependencies OpenEXR depends on